June 7, 2024 at 10:39AM
A new PHP RCE vulnerability, CVE-2024-4577, impacts Windows PHP versions since 5.x. With a patch released, updating large-scale deployments poses challenges, leaving systems vulnerable. Exploiting ‘Best-Fit’ encoding on Windows, it bypasses prior protections. Mitigations include upgrading to patched versions, applying mod_rewrite rules, or migrating from CGI to FastCGI, PHP-FPM, or Mod-PHP.
Key takeaways from the meeting notes:
– A new PHP for Windows remote code execution (RCE) vulnerability, tracked as CVE-2024-4577, impacts all releases since version 5.x, potentially affecting a large number of servers worldwide.
– The vulnerability was discovered by Devcore Principal Security Researcher Orange Tsai and reported to PHP developers on May 7, 2024. PHP project maintainers have already released a patch to address the vulnerability.
– Applying security updates on a large-scale deployment could be complicated, leaving a significant number of systems vulnerable.
– The Shadowserver Foundation has detected multiple IP addresses scanning for vulnerable servers already, indicating potential exploitation attempts.
– The CVE-2024-4577 flaw is caused by an oversight in handling character encoding conversions, specifically the ‘Best-Fit’ feature on Windows when PHP is used in CGI mode.
– The vulnerability impacts all versions of PHP for Windows, including PHP 8.0 (End of Life), PHP 7.x (EoL), or PHP 5.x (EoL), and it is recommended to upgrade to the patched versions: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
– For systems that cannot be immediately upgraded and users of EoL versions, it is recommended to apply a mod_rewrite rule to block attacks or consider migrating to more secure alternatives like FastCGI, PHP-FPM, and Mod-PHP.
These are the clear takeaways from the meeting notes. Let me know if you need further assistance or additional information.